From 035aefc8a25f4f75f3eb2e8cfb4dd0c60e0d2f67 Mon Sep 17 00:00:00 2001 From: Jane Chu <7559015+janechu@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:26:38 -0700 Subject: [PATCH] Update CodeQL scanning to separate workflow and fix issues (#7005) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request ## 📖 Description This change moves the CodeQL scan to a separate workflow, adds a workflow dispatch to the platform workflow and fixes a few issues identified by CodeQL. It also fixes some change files dependency types. ## ✅ Checklist ### General - [ ] I have included a change request file using `$ npm run change` - [ ] I have added tests for my changes. - [x] I have tested my changes. - [ ] I have updated the project documentation to reflect my changes. - [x] I have read the [CONTRIBUTING](https://github.com/microsoft/fast/blob/master/CONTRIBUTING.md) documentation and followed the [standards](https://github.com/microsoft/fast/blob/master/CODE_OF_CONDUCT.md#our-standards) for this project. --- .github/workflows/ci-validate-codeql.yml | 65 +++++++++++++++++++ .github/workflows/ci-validate-platforms.yml | 12 +--- ...-66c55455-9b64-4d8c-a517-be10925cfd1a.json | 2 +- ...-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json | 7 ++ ...-7a94883b-0ee2-4e65-918c-91a2ce70ebc6.json | 7 -- ...-8b07e1d4-0e01-4065-9377-aa36685a56ca.json | 7 ++ ...-f22b45fd-23fb-4386-82fa-72d59f744cd6.json | 2 +- .../fast-element/src/components/hydration.ts | 8 +-- .../fast-element/src/dom-policy.ts | 2 +- .../fast-router/src/query-string.ts | 23 ++++--- 10 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 .github/workflows/ci-validate-codeql.yml create mode 100644 change/@microsoft-fast-element-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json delete mode 100644 change/@microsoft-fast-foundation-7a94883b-0ee2-4e65-918c-91a2ce70ebc6.json create mode 100644 change/@microsoft-fast-router-8b07e1d4-0e01-4065-9377-aa36685a56ca.json diff --git a/.github/workflows/ci-validate-codeql.yml b/.github/workflows/ci-validate-codeql.yml new file mode 100644 index 00000000000..e815e6e13e7 --- /dev/null +++ b/.github/workflows/ci-validate-codeql.yml @@ -0,0 +1,65 @@ +name: Validate CodeQL + +on: + workflow_dispatch: + push: + branches: + - master + + pull_request: + branches: + - master + + schedule: + - cron: 0 7 * * 3 + +permissions: + security-events: write + +jobs: + cross-platform_cross-browser: + runs-on: ${{ matrix.os }} + + strategy: + fail-fast: true + matrix: + os: [ubuntu-latest] + + env: + PLAYWRIGHT_BROWSERS_PATH: 0 + + steps: + - name: Set git to use LF + if: ${{ matrix.os == 'windows-latest' }} + run: | + git config --global core.autocrlf false + git config --global core.eol lf + + - name: Checkout Branch + uses: actions/checkout@v2 + + - if: ${{ github.event_name == 'pull_request' }} + run: | + git fetch --no-tags --prune --depth=1 origin +refs/heads/master:refs/remotes/origin/master + + - name: Cache multiple paths + uses: actions/cache@v2 + env: + cache-name: cache-node-modules + with: + path: ~/.npm + key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-build-${{ env.cache-name }}- + ${{ runner.os }}-build- + ${{ runner.os }}- + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript-typescript + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:javascript-typescript" diff --git a/.github/workflows/ci-validate-platforms.yml b/.github/workflows/ci-validate-platforms.yml index 40ea50ec582..95bca8bc9e0 100644 --- a/.github/workflows/ci-validate-platforms.yml +++ b/.github/workflows/ci-validate-platforms.yml @@ -1,6 +1,7 @@ name: Validate Platforms/Browsers on: + workflow_dispatch: push: branches: - master @@ -64,15 +65,4 @@ jobs: npx playwright install - name: Run tests in all Packages - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: npm run test - - - name: Initialize CodeQL - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: github/codeql-action/init@v1 - with: - languages: javascript, typescript - - - name: Perform CodeQL Analysis - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: github/codeql-action/analyze@v1 diff --git a/change/@microsoft-fast-element-66c55455-9b64-4d8c-a517-be10925cfd1a.json b/change/@microsoft-fast-element-66c55455-9b64-4d8c-a517-be10925cfd1a.json index 0a3001b905f..abd7881a4e0 100644 --- a/change/@microsoft-fast-element-66c55455-9b64-4d8c-a517-be10925cfd1a.json +++ b/change/@microsoft-fast-element-66c55455-9b64-4d8c-a517-be10925cfd1a.json @@ -3,5 +3,5 @@ "comment": "Adds support for FASTElement hydration", "packageName": "@microsoft/fast-element", "email": "171390049+prabhujayapal@users.noreply.github.com", - "dependentChangeType": "patch" + "dependentChangeType": "prerelease" } diff --git a/change/@microsoft-fast-element-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json b/change/@microsoft-fast-element-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json new file mode 100644 index 00000000000..7d46a8af07a --- /dev/null +++ b/change/@microsoft-fast-element-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json @@ -0,0 +1,7 @@ +{ + "type": "prerelease", + "comment": "Fix CodeQL issues", + "packageName": "@microsoft/fast-element", + "email": "7559015+janechu@users.noreply.github.com", + "dependentChangeType": "prerelease" +} diff --git a/change/@microsoft-fast-foundation-7a94883b-0ee2-4e65-918c-91a2ce70ebc6.json b/change/@microsoft-fast-foundation-7a94883b-0ee2-4e65-918c-91a2ce70ebc6.json deleted file mode 100644 index 670c3fcc0da..00000000000 --- a/change/@microsoft-fast-foundation-7a94883b-0ee2-4e65-918c-91a2ce70ebc6.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "type": "none", - "comment": "update FAST DOM shim for Playwright tests", - "packageName": "@microsoft/fast-foundation", - "email": "171390049+prabhujayapal@users.noreply.github.com", - "dependentChangeType": "none" -} diff --git a/change/@microsoft-fast-router-8b07e1d4-0e01-4065-9377-aa36685a56ca.json b/change/@microsoft-fast-router-8b07e1d4-0e01-4065-9377-aa36685a56ca.json new file mode 100644 index 00000000000..20d267cf0a0 --- /dev/null +++ b/change/@microsoft-fast-router-8b07e1d4-0e01-4065-9377-aa36685a56ca.json @@ -0,0 +1,7 @@ +{ + "type": "prerelease", + "comment": "Fix CodeQL issues", + "packageName": "@microsoft/fast-router", + "email": "7559015+janechu@users.noreply.github.com", + "dependentChangeType": "prerelease" +} diff --git a/change/@microsoft-fast-ssr-f22b45fd-23fb-4386-82fa-72d59f744cd6.json b/change/@microsoft-fast-ssr-f22b45fd-23fb-4386-82fa-72d59f744cd6.json index 20c505c1cfa..5b6f25e4f52 100644 --- a/change/@microsoft-fast-ssr-f22b45fd-23fb-4386-82fa-72d59f744cd6.json +++ b/change/@microsoft-fast-ssr-f22b45fd-23fb-4386-82fa-72d59f744cd6.json @@ -3,5 +3,5 @@ "comment": "Adds support for FASTElement hydration", "packageName": "@microsoft/fast-ssr", "email": "171390049+prabhujayapal@users.noreply.github.com", - "dependentChangeType": "patch" + "dependentChangeType": "prerelease" } diff --git a/packages/web-components/fast-element/src/components/hydration.ts b/packages/web-components/fast-element/src/components/hydration.ts index 30b2193ff23..3ba226b866f 100644 --- a/packages/web-components/fast-element/src/components/hydration.ts +++ b/packages/web-components/fast-element/src/components/hydration.ts @@ -15,8 +15,8 @@ const bindingStartMarker = /fe-b\$\$start\$\$(\d+)\$\$(.+)\$\$fe-b/; const bindingEndMarker = /fe-b\$\$end\$\$(\d+)\$\$(.+)\$\$fe-b/; const repeatViewStartMarker = /fe-repeat\$\$start\$\$(\d+)\$\$fe-repeat/; const repeatViewEndMarker = /fe-repeat\$\$end\$\$(\d+)\$\$fe-repeat/; -const elementBoundaryStartMarker = /fe-eb\$\$start\$\$(.+)\$\$fe-eb/; -const elementBoundaryEndMarker = /fe-eb\$\$end\$\$(.+)\$\$fe-eb/; +const elementBoundaryStartMarker = /^(?:.{0,1000})fe-eb\$\$start\$\$(.+?)\$\$fe-eb/; +const elementBoundaryEndMarker = /fe-eb\$\$end\$\$(.{0,1000})\$\$fe-eb(?:.{0,1000})$/; function isComment(node: Node): node is Comment { return node && node.nodeType === Node.COMMENT_NODE; @@ -54,7 +54,7 @@ export const HydrationMarkup = Object.freeze({ return repeatViewEndMarker.test(content); }, isElementBoundaryStartMarker(node: Node) { - return isComment(node) && elementBoundaryStartMarker.test(node.data); + return isComment(node) && elementBoundaryStartMarker.test(node.data.trim()); }, isElementBoundaryEndMarker(node: Node) { return isComment(node) && elementBoundaryEndMarker.test(node.data); @@ -93,7 +93,7 @@ export const HydrationMarkup = Object.freeze({ * Parses element Id from element boundary markers */ parseElementBoundaryStartMarker(content: string): null | string { - return parseStringMarker(elementBoundaryStartMarker, content); + return parseStringMarker(elementBoundaryStartMarker, content.trim()); }, parseElementBoundaryEndMarker(content: string): null | string { return parseStringMarker(elementBoundaryEndMarker, content); diff --git a/packages/web-components/fast-element/src/dom-policy.ts b/packages/web-components/fast-element/src/dom-policy.ts index faee6ddabdd..933290fcbc0 100644 --- a/packages/web-components/fast-element/src/dom-policy.ts +++ b/packages/web-components/fast-element/src/dom-policy.ts @@ -77,7 +77,7 @@ function safeURL( ): DOMSink { return (target: Node, name: string, value: string, ...rest: any[]) => { if (isString(value)) { - value = value.replace("javascript:", ""); + value = value.replace(/(javascript:|vbscript:|data:)/, ""); } sink(target, name, value, ...rest); diff --git a/packages/web-components/fast-router/src/query-string.ts b/packages/web-components/fast-router/src/query-string.ts index ddad8bb4094..f38e86f6406 100644 --- a/packages/web-components/fast-router/src/query-string.ts +++ b/packages/web-components/fast-router/src/query-string.ts @@ -1,5 +1,5 @@ const encode = encodeURIComponent; -const encodeKey = (key: string) => encode(key).replace("%24", "$"); +const encodeKey = (key: string) => encode(key).replace(/%24/g, "$"); function buildParam(key: string, value: any, traditional?: boolean): Array { let result: string[] = []; @@ -51,8 +51,12 @@ function processScalarParam(existedParam: any, value: string): any { return value; } -function parseComplexParam(queryParams: Object, keys: string[], value: any): void { - let currentParams: any = queryParams; +function parseComplexParam( + queryParams: Record, + keys: string[], + value: any +): void { + let currentParams: Record = queryParams; const keysLastIndex = keys.length - 1; for (let j = 0; j <= keysLastIndex; j++) { @@ -61,13 +65,14 @@ function parseComplexParam(queryParams: Object, keys: string[], value: any): voi // The value has to be an array or a false value // It can happen that the value is no array if the key was repeated with traditional style like `list=1&list[]=2` const prevValue = - !currentParams[key] || typeof currentParams[key] === "object" - ? currentParams[key] - : [currentParams[key]]; - currentParams = currentParams[key] = - prevValue || (isNaN(keys[j + 1] as any) ? {} : []); + !currentParams.get(key) || typeof currentParams.get(key) === "object" + ? currentParams.get(key) + : [currentParams.get(key)]; + currentParams.set(key, prevValue || (isNaN(keys[j + 1] as any) ? {} : [])); + currentParams = currentParams.get(key); } else { - currentParams = currentParams[key] = value; + currentParams.set(key, value); + currentParams = currentParams.get(key); } } }